Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2026-27664
Publication date:
26/03/2026
A vulnerability has been identified in CPCI85 Central Processing/Communication (All versions
Severity CVSS v4.0: HIGH
Last modification:
26/03/2026

CVE-2026-28297
Publication date:
26/03/2026
SolarWinds Observability Self-Hosted was found to be affected by a stored cross-site scripting vulnerability, which when exploited, can lead to unintended script execution.
Severity CVSS v4.0: Pending analysis
Last modification:
26/03/2026

CVE-2026-28298
Publication date:
26/03/2026
SolarWinds Observability Self-Hosted was found to be affected by a stored cross-site scripting vulnerability, which when exploited, can lead to unintended script execution.
Severity CVSS v4.0: Pending analysis
Last modification:
26/03/2026

CVE-2026-26072
Publication date:
26/03/2026
EVerest is an EV charging software stack. Versions prior to 2026.02.0 have a data race leading to `std::map` concurrent access (container/optional corruption possible). The trigger is EV SoC update with powermeter periodic update and unplugging/SessionFinished status. Version 2026.02.0 patches the issue.
Severity CVSS v4.0: Pending analysis
Last modification:
26/03/2026

CVE-2026-23995
Publication date:
26/03/2026
EVerest is an EV charging software stack. Prior to version 2026.02.0, stack-based buffer overflow in CAN interface initialization: passing an interface name longer than IFNAMSIZ (16) to CAN open routines overflows `ifreq.ifr_name`, corrupting adjacent stack data and enabling potential code execution. A malicious or misconfigured interface name can trigger this before any privilege checks. Version 2026.02.0 contains a patch.
Severity CVSS v4.0: Pending analysis
Last modification:
26/03/2026

CVE-2026-26008
Publication date:
26/03/2026
EVerest is an EV charging software stack. Versions prior to 2026.02.0 have an out-of-bounds access (std::vector) that leads to possible remote crash/memory corruption. This is because the CSMS sends UpdateAllowedEnergyTransferModes over the network. Version 2026.2.0 contains a patch.
Severity CVSS v4.0: Pending analysis
Last modification:
26/03/2026

CVE-2026-26070
Publication date:
26/03/2026
EVerest is an EV charging software stack. Versions prior to 2026.02.0 have a data race leading to `std::map` concurrent access (container/optional corruption possible). The trigger is an EV SoC update with powermeter periodic update and unplugging/SessionFinished state. Version 2026.2.0 contains a patch.
Severity CVSS v4.0: Pending analysis
Last modification:
26/03/2026

CVE-2026-26071
Publication date:
26/03/2026
EVerest is an EV charging software stack. Versions prior to 2026.02.0 have a data race leading to `std::string` concurrent access. with heap-use-after-free possible. This is triggered by EVCCID update (EV/ISO15118) and OCPP session/authorization events. Version 2026.02.0 contains a patch.
Severity CVSS v4.0: Pending analysis
Last modification:
26/03/2026

CVE-2026-22593
Publication date:
26/03/2026
EVerest is an EV charging software stack. Prior to version 2026.02.0, an off-by-one check in IsoMux certificate filename handling causes a stack-based buffer overflow when a filename length equals `MAX_FILE_NAME_LENGTH` (100). A crafted filename in the certificate directory can overflow `file_names[idx]`, corrupting stack state and enabling potential code execution. Version 2026.02.0 contains a patch.
Severity CVSS v4.0: Pending analysis
Last modification:
26/03/2026

CVE-2026-22790
Publication date:
26/03/2026
EVerest is an EV charging software stack. Prior to version 2026.02.0, `HomeplugMessage::setup_payload` trusts `len` after an `assert`; in release builds the check is removed, so oversized SLAC payloads are `memcpy`'d into a ~1497-byte stack buffer, corrupting the stack and enabling remote code execution from network-provided frames. Version 2026.02.0 contains a patch.
Severity CVSS v4.0: Pending analysis
Last modification:
26/03/2026

CVE-2026-4876
Publication date:
26/03/2026
A vulnerability was identified in itsourcecode Free Hotel Reservation System 1.0. The impacted element is an unknown function of the file /admin/mod_amenities/index.php?view=editpic. Such manipulation of the argument ID leads to sql injection. The attack may be performed from remote. The exploit is publicly available and might be used.
Severity CVSS v4.0: MEDIUM
Last modification:
26/03/2026

CVE-2026-4877
Publication date:
26/03/2026
A security flaw has been discovered in itsourcecode Payroll Management System up to 1.0. This affects an unknown function of the file /index.php. Performing a manipulation of the argument page results in cross site scripting. It is possible to initiate the attack remotely. The exploit has been released to the public and may be used for attacks.
Severity CVSS v4.0: MEDIUM
Last modification:
26/03/2026
Subscribe to Vulnerabilities